Now your cluster has the credential of your CloudDNS admin service account. And
it can be used to access your Cloud DNS. You can enforce the access of the
credentail secret within your cluster, so that only the pods that have the
permission to get the credential secret can access your Cloud DNS.

In this case, the DNS nameservers are ns-cloud-{e1-e4}.googledomains.com.
Yours could differ slightly, e.g. {a1-a4}, {b1-b4} etc.

If this zone has the parent zone, you need to add NS records of this zone into
the parent zone so that this zone can be found from the parent. Assuming the
parent zone is my-org-do and the parent domain is my-org.do, and the parent
zone is also hosted at Google Cloud DNS, you can follow these steps to add the
NS records of this zone into the parent zone:

Deploy ExternalDNS

apiVersion:v1kind:ServiceAccountmetadata:name:external-dns---apiVersion:rbac.authorization.k8s.io/v1kind:ClusterRolemetadata:name:external-dnsrules:-apiGroups:[""]resources:["services"]verbs:["get","watch","list"]-apiGroups:[""]resources:["pods"]verbs:["get","watch","list"]-apiGroups:["extensions"]resources:["ingresses"]verbs:["get","watch","list"]-apiGroups:[""]resources:["nodes"]verbs:["list"]---apiVersion:rbac.authorization.k8s.io/v1kind:ClusterRoleBindingmetadata:name:external-dns-viewerroleRef:apiGroup:rbac.authorization.k8s.iokind:ClusterRolename:external-dnssubjects:-kind:ServiceAccountname:external-dnsnamespace:default---apiVersion:extensions/v1beta1kind:Deploymentmetadata:name:external-dnsspec:strategy:type:Recreatetemplate:metadata:labels:app:external-dnsspec:serviceAccountName:external-dnscontainers:-name:external-dnsimage:registry.opensource.zalan.do/teapot/external-dns:latestargs:---source=service---domain-filter=$CUSTOM_DOMAIN# will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones---provider=google---google-project=$PROJECT_NAME# Use this to specify a project different from the one external-dns is running inside---policy=sync# would prevent ExternalDNS from deleting any records, omit to enable full synchronization---registry=txt---txt-owner-id=my-identifier

apiVersion:v1kind:ServiceAccountmetadata:name:external-dns---apiVersion:rbac.authorization.k8s.io/v1kind:ClusterRolemetadata:name:external-dnsrules:-apiGroups:[""]resources:["services"]verbs:["get","watch","list"]-apiGroups:[""]resources:["pods,secrets"]verbs:["get","watch","list"]-apiGroups:["extensions"]resources:["ingresses"]verbs:["get","watch","list"]-apiGroups:[""]resources:["nodes"]verbs:["list"]---apiVersion:rbac.authorization.k8s.io/v1kind:ClusterRoleBindingmetadata:name:external-dns-viewerroleRef:apiGroup:rbac.authorization.k8s.iokind:ClusterRolename:external-dnssubjects:-kind:ServiceAccountname:external-dnsnamespace:default---apiVersion:extensions/v1beta1kind:Deploymentmetadata:name:external-dnsspec:strategy:type:Recreatetemplate:metadata:labels:app:external-dnsspec:volumes:-name:google-cloud-keysecret:secretName:cloud-dns-keyserviceAccountName:external-dnscontainers:-name:external-dnsimage:registry.opensource.zalan.do/teapot/external-dns:latestvolumeMounts:-name:google-cloud-keymountPath:/var/secrets/googleenv:-name:GOOGLE_APPLICATION_CREDENTIALSvalue:/var/secrets/google/key.jsonargs:---source=service---domain-filter=$CUSTOM_DOMAIN# will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones---provider=google---google-project=$PROJECT_NAME# Use this to specify a project different from the one external-dns is running inside---policy=sync# would prevent ExternalDNS from deleting any records, omit to enable full synchronization---registry=txt---txt-owner-id=my-identifier

Then use the following command to apply the manifest you chose to install
ExternalDNS

cat <<EOF | kubectl apply --filename -
<your-chosen-manifest>
EOF

You should see ExternalDNS is installed by running:

kubectl get deployment external-dns

Configuring Knative Gateway service

In order to publish the Knative Gateway service, the annotation
external-dns.alpha.kubernetes.io/hostname: '*.$CUSTOM_DOMAIN needs to be added
into Knative gateway service:

# In Knative 0.2.x and prior versions, the `knative-ingressgateway` service was used instead of `istio-ingressgateway`.INGRESSGATEWAY=knative-ingressgateway
# The use of `knative-ingressgateway` is deprecated in Knative v0.3.x.# Use `istio-ingressgateway` instead, since `knative-ingressgateway`# will be removed in Knative v0.4.if kubectl get configmap config-istio -n knative-serving &> /dev/null;thenINGRESSGATEWAY=istio-ingressgateway
fi
kubectl edit svc $INGRESSGATEWAY --namespace istio-system

This command opens your default text editor and allows you to add the annotation
to knative-ingressgateway service. After you’ve added your annotation, your
file may look similar to this (assuming your custom domain is
external-dns-test.my-org.do):